InfoSec Daily Podcast Episode 506 for October 28, 2011. Tonight's podcast is hosted by Rick Hayes, Boris Sverdlik, Karthik Rangrajan, Geordy Rostad, and Dr. Bonez.
New Hampshire InfoSec Tweetup
When: October 29, 2011
Where: Pawtuckaway State Park in Nottingham, NH
(It is just a gathering of security professionals and their families. No talks, just abunch of likeminded people and some good food.)
When: November 4th, 2011
Where: Think Inc World HQ, 1375 Peachtree St. Suite 600, Atlanta, Ga (The Earthlink Bldg).
This year there will be 3 tracks, a CISO panel on some good topics recently (Hacker vs Biz Skillset, etc), Lockpick Village by FALE, Prize Giveaway at End. Of course all day Podcast Area.
When: Nov 4th – Nov 6th
Where: Holiday Inn Airport, Nashville, TN
When: Nov 4th – Nov 6th
Where: Days Inn Stadium, Nashville, TN
2011 Fall Information Security Conference
When: November 8 – 9, 2011
Where: Atlanta, GA (Loudermilk Conference Center)
When: November 11-12, 2011
Where: Wilmington University, Delaware Campus
SANS Mentoring: Forensics 408 – Computer Forensic Essentials
When: Starts November 30, 2011
Where: Atlanta, GA
Discount Code: M1011IPAD (free iPad 2)
The videos for DEF CON 19 have been posted.
Here's what social networking looks like on the dark side: one in 100 tweets today are malicious, and one in 60 Facebook posts are as well.
Facebook users are the least confident in social network security, with 40 percent confessing they feel unsafe on Facebook, while 28 percent feel that way about Twitter, and 14 percent on LinkedIn. But that doesn't mean LinkedIn won't eventually become a big target for cybercrime: "When you look at the actual damage that could be done to a business" by hackers targeting LinkedIn accounts, it's high for business disruption and employee misinformation, for example, says Daniel Peck, senior research scientist with Barracuda Labs, who today at HackerHalted in Miami shared Barracuda's latest data on malicious activity on Twitter, Facebook, and on search engines.
According to new Barracuda survey data of social media users, LinkedIn is the least-blocked social network by enterprises, with only 20 percent of organizations preventing their employees from using LinkedIn from work. That in contrast to Twitter (25 percent); Google+ (24 percent); and Facebook (31 percent).
Peck predicts that LinkedIn definitely will be a target for badness. "I think there will be a lot of social attacks there," he says.
Interestingly, most users say the important factors to consider when joining a social network are security (92 percent), that their friends use it (91 percent), privacy (90 percent), and ease of use (87 percent). More than 90 percent have received spam over a social network, and more than half have experienced phishing attacks. More than 20 percent have received malware, 16.6 have had their account used for spamming, and about 13 percent have had their account hijacked or their password stolen. More than half are unhappy with Facebook's privacy controls.
Meanwhile, Barracuda counted 43 percent of Twitter accounts as "true users" with real followers and regular tweets, and 57 percent as "not true users" — either spam bots or inactive accounts.
Attackers abuse Twitter in much the same way that they engage in search-engine poisoning, according to Peck, casting a wide net and hoping to get more eyeballs. "Facebook manipulates trust more – your Friends are people you make eye contact with," he says.
"Facebook is less likely to get hit by a driveby download or to exploit your browser. Twitter is more likely" to get hit that way, he says. "A Facebook [attack] is more likely going after your data, or pushing an affiliate scam sort of thing."
The good news about Facebook abuse, Peck says, is that it's become high-profile enough that word gets out faster when a scam hits. A prime example was this week, when a "Starbucks' anniversary" scam began to spread. "So Starbucks Corporate put out on Twitter that it was a Facebook scam and was not real," Peck says. "This is getting big enough that the big companies are starting to notice the scams."
Barracuda also measures search malware on Google, Bing, Twitter, and Yahoo over a 153-day period and found 34,627 malware samples, with one in 1,000 search results leading to malware. And one in five search topics lead to malware, with "music + video" containing the most malicious links. The number two search term leading to malware: 's "JenniJ-Woww," with 17 percent of the malicious search results.
When using the Facebook 'Messages' tab, there is a feature to attach a file. Using this feature normally, the site won't allow a user to attach an executable file. A bug was discovered to subvert this security mechanisms. Note, you do NOT have to be friends with the user to send them a message with an attachment.
When attaching an executable file, Facebook will return an error message stating:
"Error Uploading: You cannot attach files of that type."
When uploading a file attachment to Facebook we captured the web browsers POST request being sent to the web server. Inside this POST request reads the line:
Content-Disposition: form-data; name="attachment"; filename="cmd.exe"
It was discovered the variable 'filename' was being parsed to determine if the file type is allowed or not.
To subvert the security mechanisms to allow an .exe file type, we modified the POST request by appending a space to our filename variable like so:
The announcement that Nexus One users won’t be getting upgraded to Android 4.0 Ice Cream Sandwich led some to justifiably question Google’s support of their devices. I look at it a little differently: Nexus One owners are lucky. I’ve been researching the history of OS updates on Android phones and Nexus One users have fared much, much better than most Android buyers.
I went back and found every Android phone shipped in the United States1 up through the middle of last year. I then tracked down every update that was released for each device – be it a major OS upgrade or a minor support patch – as well as prices and release & discontinuation dates. I compared these dates & versions to the currently shipping version of Android at the time. The resulting picture isn’t pretty – well, not for Android users:
FACEBOOK has released details of the extraordinary security infrastructure it uses to fight off spam and other cyber-scams.
Known as the Facebook Immune System (FIS), the massive defence network appears to be successful: numbers released by the company this week show that less than 1 per cent of users experience spam. Yet it's not perfect. Researchers have built a novel attack that evaded the cyber-defences and extracted private material from real users' Facebook accounts.
It took just three years for FIS to evolve from basic beginnings into an all-seeing set of algorithms that monitors every photo posted to the network, every status update– indeed, every click made by every one of the 800 million users. There are more than 25 billion of these "read and write actions" every day. At peak activity the system checks 650,000 actions a second.
"It's a big challenge," says Jim Larus, a Microsoft researcher in Redmond, Washington, who studies large networks. The only network bigger, Larus suspects, is the web itself. That makes Facebook's defence system one of the largest in existence.
It protects against scams by harnessing artificially intelligent software to detect suspicious patterns of behaviour. The system is overseen by a team of 30 people, but it can learn in real time and is able to take action without checking with a human supervisor.
One notable attack took place in April, says Tao Stein, a Facebook engineer who works on the system. It began when several users were duped into copying computer code into their browser's address bar. The code commandeered the person's Facebook account, and started sending chat messages to their friends saying things like "I just got a free iPad", along with a link where the friends could go to get their own. Friends who clicked on the link went to a site that encouraged them to paste the same code into their browsers, further spreading the plague. "Attacks like these can generate millions of messages per minute," says Stein.
Users are less likely to fall for a similar tactic when using email, because the message would probably be sent by a stranger.
But inside Facebook's network it's much more persuasive. "It's easier to exploit trust relationships in online social networks," says Justin Ma, a computer scientist at the University of California, Berkeley, who develops methods to combat email spam.
To tackle the attack, FIS generated a signature that it used to differentiate between spam and legitimate messages. This was based on the links in the spam messages, keywords like "free" and "iPad", and the IP addresses of the computers sending the messages.
But spammers can use multiple machines to switch IP addresses, and link redirection services like bit.ly can change links on the fly. So FIS checked to see which messages were being flagged as spam by users and blocked messages with similar keywords in the text. Together with other features of the message, which Facebook declined to discuss for fear of aiding spammers, the system was able to begin developing a signature to identify the spam within seconds of the attack emerging.
Facebook said this week that, thanks to FIS, less than 4 per cent of the network's messages are spam and that fewer than 1 in 200 users experience spam on any given day. "It's pretty good," says Ma, who has a Facebook account. "I'm pretty happy with the level of security."
Yet like any defence based on patterns of known behaviour, FIS is vulnerable to strategies it has not seen before. Yazan Boshmaf and colleagues at the University of British Columbia in Vancouver, Canada, have exploited this and eluded the system by creating "socialbots"– software that can pose as a human and control a Facebook account.
The bots began by sending friend requests to random users, around 1 in 5 of whom accepted. They then sent requests to the friends of the people they had connected with, and the acceptance rate jumped to almost 60 per cent. After seven weeks the team's 102 bots had made a combined 3000 friends.
Facebook's privacy settings allow users to shield personal information from public view. But because the socialbots posed as friends, they were able to extract some 46,500 email addresses and 14,500 physical addresses from users' profiles– information that could be used to launch phishing attacks or aid in identity theft.
"An attacker could do many things with this data," says Boshmaf, who will present the team's work at the Annual Computer Security Applications Conference in Orlando, Florida, next month.
A socialbot attack is yet to happen, but it's only a matter of time. Socialbots behave differently to humans that enter Facebook for the first time, in part because they have no real-world friends to connect with, and their random requests lead to an unusually high number of rejections. FIS would be able to use this pattern to recognise and block an attack of socialbots, says Stein. That would put Facebook back on top– if only until hackers release their next innovation.
With more and more victims of identity theft minted every day, figuring out if you're one of the unlucky masses with a leaked email password is yeoman's work. Now one security researcher is trying to make it easy with PwnedList.com, a Web site that collects leaked and stolen data, then tells Internet users whether their information is in it.
PwnedList is the brainchild of Alen Puzic, a security researcher who works for HP's TippingPoint DVLabs on the Advanced Security Intelligence team. The biggest challenge, he says, is staying on top of the tsunami of leaked records – which are pouring in at a rate of 40,000 to 50,000 a week. Puzic chatted(*) with Threatpost editor Paul Roberts via Skype this week.